Servage Magazine

Information about YOUR hosting company – where we give you a clear picture of what we think and do!

Share PHP session data between HTTP and HTTPS requests

Tuesday, January 4th, 2011 by Servage

There is a problem with basic PHP sessions. Specifically it’s about the situation of having SSL and non-SSL pages that need to share session-information, while still being a secure session. PHP itself solves this problem somewhat simple, and insufficiently, in my opinion. There are multiple security-aspects to consider, when working with sessions, and you are able to maintain secure sessions with the default PHP functionality. But when you want to share session-data between SSL and non-SSL requests, you run into a problem.

The problem

  1. The session is identified with a session ID stored in a cookie in the user’s browser.
  2. Critical session data, such as the user ID of the currently logged in user, is something you should NOT store in your HTTP session. Why? Because the unencrypted HTTP data (including the session ID could be sniffed by a hacker, and thereby enable the hacker to hijack the session.
  3. Non-critical session data, such as the current user’s preferred language can be stored in a session without worries (except maybe privacy issues).

The default solution in PHP

  1. When using session_start() a cookie with a session ID is generated and stored in the user’s browser. The session ID is appended to requests, so the PHP script can identify the user’s session.
  2. You can set a session configuration parameter in PHP which restricts the session cookie to be only sent on HTTPS requests. This makes the session ID only sent encrypted, but also renders the session useless for HTTP requests. I.e. there will be two separate sessions. One for HTTP and one for HTTPS.
  3. The state of such data is not maintained across HTTP/HTTPS requests due to the secure cookie.

A better solution

The default PHP functionality isn’t enough. I could force SSL for all requests, but that drains performance. I want to have general session data available for all requests, regardless of SSL, and I want secure session data only to be transmitted on SSL connections. My script will make sure the user accesses pages with the correct protocol (i.e. HTTPS for the login page and profile management, and HTTP on the product pages etc.). My solution starts where the default PHP functionality stops. I suggest to use a regular PHP session for the “general” data. No restrictions, no security. Just transfer the session ID cookie, and remember to store only convenience, but not sensitive data in that session. For the sensitive data I create another session class, with an own session handler. Thereby I have the normal PHP session for EVERY request. On the HTTPS requests I have another session, the secure session, loaded. In my opinion this is the most elegant way to share session data between HTTP/HTTPS request, and still hide secure data on insecure connections.

Other session tips

There are other ways for hackers to compromise your sessions. They are discussed in various articles across the web. I strongly suggest you add some checks to your session handler. One of the most basic checks is the user agent. If the session was created in Internet Explorer, it’s unlikely the legitimate user will suddenly make a request with Mozilla. But remember: Each check is not/cannot itself guarantee complete security, but will help increasing your overall level of security.

Share PHP session data between HTTP and HTTPS requests, 4.3 out of 5 based on 10 ratings
Categories: Tips & Tricks

Keywords:

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

1 comment (leave a comment)

i like it

Leave a comment

You must be logged in to post a comment.